Utilizing voice biometrics to generate a secure digital identity for a user without access to technology

ABSTRACT

In some implementations, a system may generate information that identifies a passphrase to be used as a biometric input. The system may receive a voice input of a user speaking the passphrase. The system may generate one or more cryptographic keys based on the voice input. The system may generate a digital identifier based on the one or more cryptographic keys. The system may generate one or more biometric templates for the user. The system may encrypt the one or more biometric templates using the one or more cryptographic keys and to generate one or more encrypted biometric templates. The system may store in a secure storage associated with the user, at least one of the digital identifier, a public key of the one or more cryptographic keys, a phone number associated with the user, or the one or more encrypted biometric templates. Numerous other aspects are provided.

CROSS-REFERENCE TO RELATED APPLICATION

This Patent Application claims priority to European Patent ApplicationNo. 20290059.3, filed on Aug. 10, 2020, and entitled “VOICE BIOMETRICS.”The disclosure of the prior Application is considered part of and isincorporated by reference into this Patent Application.

BACKGROUND

Identity verification involves one or more actions taken to confirm anidentity of a user. For example, identity verification may includedirecting the user to complete a task to confirm the identity of theuser. The task may include providing authentication information, such asa government issued identification card (e.g., a passport or a driver'slicense), a username, a password, a personal identification number(PIN), or another type of authentication information.

SUMMARY

In some implementations, a method includes generating, by a system,information that identifies a passphrase to be used as a biometricinput; receiving, by the system, a voice input of a user speaking thepassphrase; generating, by the system, one or more cryptographic keysbased on the voice input; generating, by the system, a digitalidentifier based on the one or more cryptographic keys; generating, bythe system, one or more biometric templates for the user; encrypting, bythe system, the one or more biometric templates using the one or morecryptographic keys and to generate one or more encrypted biometrictemplates; and storing, by the system, in a secure storage associatedwith the user, at least one of the digital identifier, a public key ofthe one or more cryptographic keys, a phone number associated with theuser, or the one or more encrypted biometric templates.

In some implementations, a system includes one or more memories; and oneor more processors, communicatively coupled to the one or more memories,configured to: generate information that identifies a passphrase to beused as a biometric input; receive a voice input of a user speaking thepassphrase; generate one or more cryptographic keys based on the voiceinput and using a fuzzy extractor technique, wherein the one or morecryptographic keys include a public key and a corresponding private key;generate a digital identifier based on the one or more cryptographickeys; generate one or more biometric templates for the user; encrypt theone or more biometric templates using the one or more cryptographic keysand to generate one or more encrypted biometric templates; and store, ina secure storage associated with the user, at least one of the digitalidentifier, a public key of the one or more cryptographic keys, a phonenumber associated with the user, or the one or more encrypted biometrictemplates.

In some implementations, a non-transitory computer-readable mediumstoring a set of instructions includes one or more instructions that,when executed by one or more processors of a system, cause the systemto: receive, via interaction with a user, a request for a digitalidentifier for the user; generate, based on the request, informationthat identifies a passphrase to be used as a biometric input; provide,via interaction with the user, information instructing the user to speakthe passphrase; receive a voice input of the user speaking thepassphrase; generate one or more cryptographic keys based on the voiceinput; generate a digital identifier based on the one or morecryptographic keys; generate one or more biometric templates for theuser; encrypt the one or more biometric templates using the one or morecryptographic keys and to generate one or more encrypted biometrictemplates; and store, in a secure storage associated with the user, atleast one of the digital identifier, a public key of the one or morecryptographic keys, a phone number associated with the user, or the oneor more encrypted biometric templates.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1F are diagrams of an example implementation described herein.

FIG. 2 is a diagram of an example environment in which systems and/ormethods described herein may be implemented.

FIG. 3 is a diagram of example components of one or more devices of FIG.2.

FIG. 4 is a flowchart of an example process relating to utilizing voicebiometrics to generate a secure digital identity for a user.

DETAILED DESCRIPTION

The following detailed description of example implementations refers tothe accompanying drawings. The same reference numbers in differentdrawings may identify the same or similar elements.

A person may be required to verify the person's identity to an entity inorder to obtain various services and/or perform certain functions. Forexample, to establish an account with a financial institution, to votein a governmental election, and/or to obtain a governmental service, aperson may be required to provide authentication information (e.g., agovernment issued identification card, a username, a password, a PIN,and/or the like) that can be used to verify the person's identity.

In some cases, the person may not have and/or may not be able to obtainthe required authentication information. For example, the person's levelof education may prohibit the person from being able to fill out formsnecessary to obtain the required authentication information. As anotherexample, an entity may utilize a digital identity verification system,and the person's economic level may prohibit the person from obtaining adevice necessary to utilize the digital identity verification system. Inthese cases, the person may not be able to access services and/orfunctions that may be beneficial to the person. For example, the personmay not be able to obtain a driver's license, vote in a governmentalelection, and/or the like.

Some implementations described herein relate to an identity system thatutilizes voice biometrics to generate a secure digital identity for auser. In some implementations, the identity system may generateinformation that identifies a passphrase to be used as a biometricinput. The identity system may receive a voice input of a user speakingthe passphrase. The identity system may generate one or morecryptographic keys based on the voice input. The identity system maygenerate a digital identifier based on the one or more cryptographickeys. The identity system may generate one or more biometric templatesfor the user. The identity system may encrypt the one or more biometrictemplates using the one or more cryptographic keys to generate one ormore encrypted biometric templates. The identity system may store, in asecure storage associated with the user, the digital identifier, apublic key of the one or more cryptographic keys, a phone numberassociated with the user, and/or the one or more encrypted biometrictemplates.

The user may utilize the identity system to verify the user's identityto perform a secure operation (e.g., establish an account with afinancial institution, vote in a governmental election, obtain agovernmental service, and/or the like). For example, the identity systemmay receive, via interaction with the user (e.g., a telephone call), auser request for a secure operation. The identity system may identifysecure storage associated with the user based on the phone number oranother identifier associated with the user. The identity system mayobtain the passphrase from the secure storage and may prompt the user tospeak the passphrase. The identity system may receive another voiceinput of the user speaking the passphrase and may generate a signing keyfor the user based on the other voice input. The identity system mayobtain the one or more encrypted biometric templates from the securestorage and may decrypt the one or more encrypted biometric templatesusing the signing key. The identity system may generate a requestassociated with the secure operation based on successful decryption ofthe one or more encrypted biometric templates. The identity system maysign the request using the signing key to generate a signed request andmay transmit the signed request to a device associated with performingthe secure operation. In this way, the identity system may prevent aperson's level of education or economic level from prohibiting theperson from obtaining authentication information that can be used toverify the person's identity.

FIGS. 1A-1F are diagrams of an example 100 associated with utilizingvoice biometrics to generate a secure digital identity for a user. Asshown in FIGS. 1A-1F, example 100 includes a client device associatedwith an identity system. The client device may be associated with a userand may include a device configured to provide a biometric input (e.g.,a passphrase spoken by the user) to the identity system. For example,the client device may include a telephone, a cellular phone, a smartphone, and/or the like.

The identity system may include one or more devices configured togenerate a secure digital identity for a user, as described herein. Theidentity system may include a trusted execution environment (alsoreferred to as a secure enclave). The trusted execution environment maycomprise one or more hardware modules that allow for data processingwithin hardware-provided, encrypted private memory areas directly on amicroprocessor chip of the identity system. The trusted executionenvironment may run in parallel with an operating system of the identitysystem and may utilize hardware and software to protect data and codeassociated with the trusted execution environment. The trusted executionenvironment may allow the identity system to operate within a secure,isolated environment when deployed within a cloud computing system.

As shown in FIG. 1A, and by reference number 105, the identity systemreceives, from the client device, a telephone call from a userrequesting enrollment in generating a digital identifier for the user.For example, a user may utilize a telephone function of the clientdevice to call the identity system (e.g., by inputting a phone numberassociated with the identity system via a physical and/or digital keypadof the client device).

As shown by reference number 110, the identity system generatesinformation that identifies a passphrase to be used as a biometricinput. In some implementations, the identity system generates theinformation identifying the passphrase based on receiving the telephonecall from the user.

As an example, the identity system may be associated with a plurality oftelephone numbers. Each telephone number may be associated with arespective function performed by the identity system. The user mayutilize a first telephone number, of the plurality of telephone numbers,to call the identity system. The first telephone number may beassociated with the identity system generating the information thatidentifies the passphrase. The identity system may receive the telephonecall and may determine that the first telephone number was utilized tocall the identity system. The identity system may generate theinformation that identifies the passphrase based on the first telephonenumber being utilized to call the identity system.

Alternatively, and/or additionally, the identity system may generate theinformation identifying the passphrase based on an input provided by theuser. As an example, the identity system may provide a query to theuser, via the client device, based on receiving the telephone call. Thequery may indicate that the user is to provide information identifying apurpose of the telephone call (e.g., provide information identifying afunction to be performed by the identity system). The user may providean input (e.g., a spoken input, a text input, an input corresponding tothe user pressing a particular key on the keypad of the client device,and/or the like) to the identity system based on the query. The identitysystem may generate the information that identifies the passphrase basedon the input.

As shown by reference number 115, the identity system provides theinformation that identifies the passphrase to the client device. In someimplementations, the identity system provides the information thatidentifies the passphrase as an audio output reciting the passphrase tothe user. For example, the identity system may include a text-to-speechconverter that converts the information that identifies the passphraseto an audio output, and the identity system may provide the audio outputto the user via the telephone call.

Alternatively, and/or additionally, the identity system may provide theinformation that identifies the passphrase as a text output. Forexample, the identity system may generate a text message that includesthe information that identifies the passphrase and may transmit the textmessage to the client device. The client device may receive the textmessage and may provide the text message for display to the user.

In some implementations, the identity system determines a form (e.g.,audio, text, and/or video) of the information that identifies thepassphrase based on information input by the user. For example, the usermay input information identifying the form of the information thatidentifies the passphrase in response to a query provided by theidentity system.

As shown by reference number 120, the identity system receives, from theclient device, a voice input of the user speaking the passphrase. Theuser may receive the information that identifies the passphrase via theclient device. The user may speak the passphrase based on receiving theinformation. The client device may utilize a microphone to generate avoice input signal from the voice input based on the user speaking thepassphrase and may provide the voice input signal to the identity systemvia a communication session associated with the telephone call.

In some implementations, the identity system performs a qualityassessment on the voice input signal. For example, the identity systemmay determine a signal-to-noise ratio (SINR) associated with the voiceinput signal, a quantity of data lost or corrupted during thetransmission of the voice input signal, an amount of background noisepresent in the voice input signal, and/or the like. In someimplementations, the identity system may determine that a quality of thevoice input signal is insufficient for generating cryptographic keysbased on performing the quality assessment. For example, the identitysystem may determine that the SINR associated with the voice inputsignal satisfies a first threshold, that the quantity of data lost orcorrupted during the transmission of the voice input signal satisfies asecond threshold, that the amount of background noise present in thevoice input signal satisfies a third threshold, and/or the like. Theidentity system may request that the user repeat the passphrase and/ormay receive another voice input based on determining that the quality ofthe voice input signal is insufficient for generating the cryptographickeys.

In some implementations, the identity system determines that the qualityof the voice input signal is sufficient for generating cryptographickeys. For example, the identity system may determine that the SINRassociated with the voice input signal satisfies a fourth threshold,that the quantity of data lost or corrupted during the transmission ofthe voice input signal satisfies a fifth threshold, that the amount ofbackground noise present in the voice input signal satisfies a sixththreshold, and/or the like. The identity system may provide the voiceinput signal to the trusted execution environment of the identity systembased on the quality of the voice input signal being sufficient forgenerating the cryptographic keys.

As shown in FIG. 1B, and by reference number 125, the identity systemgenerates one or more cryptographic keys based on the voice inputsignal. For example, the identity system may generate a public key and acorresponding private key based on the voice input signal. The identitysystem may generate the one or more cryptographic keys within thetrusted execution environment of the identity system.

In some implementations, the identity system utilizes a Fuzzy extractorto generate the one or more cryptographic keys. The Fuzzy extractor maybe a biometric tool that allows for user authentication using abiometric template constructed from the user's biometric data (e.g., thevoice input signal) as a key. The identity system may utilize the Fuzzyextractor to extract a uniform and random string R from the voice inputsignal. The string R may have a tolerance for noise such that the stringR may be extracted from another voice input signal having small changesrelative to the voice input signal (e.g., small changes caused by a SINRassociated with the other voice input signal, small changes caused bythe user speaking the passphrase in a slightly different manner, and/orthe like). The identity system may generate a cryptographic key based onthe string R.

In some implementations, the identity system utilizes the Fuzzyextractor to generate a helper string P. The helper string P comprise afunction (e.g., a probabilistic function) that enables the identitysystem to generate the original voice input provided by the user from asubsequent voice input provided by the user that is sufficiently similarto the original voice input. The subsequent voice input may besufficiently similar to the original voice when a Hamming distance(e.g., a quantity of bit positions that differ between the originalvoice input signal and the subsequent voice input signal) satisfies aHamming distance threshold, when an edit distance (e.g., a quantity ofinsertions and deletions needed to convert the subsequent voice inputsignal into the original voice input signal) satisfies an edit distancethreshold, and/or the like.

As shown by reference number 130, the identity system generates adigital identifier based on the one or more cryptographic keys. Theidentity system may generate the digital identifier within the trustedexecution environment of the identity system. The digital identifier maybe a persistent identifier or handle used to identify a secure storageassociated with the user. The secure storage may include a wallet storedin a memory within the trusted execution environment and/or a walletstored in a memory of the client device.

In some implementations, the identity system generates the digitalidentifier based on one or more portions of the one or morecryptographic keys. For example, the identity system may generate thedigital identifier based on utilizing the one or more cryptographic keysas parameters of, or inputs to, an algorithm (e.g., a cryptographicalgorithm, a hashing algorithm, and/or another type of algorithm).

As shown in FIG. 1C, and by reference number 135, the identity systemgenerates one or more biometric templates and encrypts the one or morebiometric templates with the one or more cryptographic keys. A biometrictemplate, of the one or more biometric templates, may comprise a digitalrepresentation of one or more unique features of the voice input signal.The identity system may analyze the voice input signal to determine theone or more unique features of the voice input. The identity system mayextract one or more portions of the voice input signal corresponding tothe one or more unique features. The identity system may convert the oneor more portions of the voice input signal into a mathematical filecorresponding to the biometric template.

The identity system may encrypt the biometric template with the one ormore cryptographic keys. In some implementations, the identity systemencrypts the biometric template based on a feature transformationapproach. The identity system may derive one or more parameters of atransformation function (e.g., a bio-hashing transformation function, asalting transformation function, a non-invertible transformationfunction, and/or the like) from the one or more cryptographic keys. Theidentity system may use the transformation function to transform thebiometric template. Alternatively, and/or additionally, the identitysystem may encrypt the biometric template based on a biometriccryptosystem, a key-binding biometric cryptosystem, a key generatingbiometric cryptosystem, and/or the like.

As shown in FIG. 1D, and by reference number 140, the identity systemstores, in a secure storage associated with the user, at least one ofthe digital identifier, a public key of the one or more cryptographickeys, a phone number associated with the user, or the one or morebiometric templates. In some implementations, the secure storage is awallet stored in a memory within the trusted execution environment. Insome implementations, the secure storage is a wallet stored in a memoryof the client device. In some implementations, the secure storage is asecure memory of another device (e.g., a server device associated with agovernmental entity).

As shown in FIG. 1E, and by reference number 145, the identity systemreceives, from the client device, a telephone call from the userrequesting an operation (e.g., issuance of a government credential). Forexample, the user may utilize the client device to call the identitysystem to acquire a digital verification of the user's identity (e.g., agovernment credential) for obtaining a driver's license, registering tovote, enrolling in a government program, and/or the like.

As shown by reference number 150, the identity system identifies theuser from the secure storage and determines the passphrase for the user.The identity system may identify the secure storage associated with theuser based on the phone number or another identifier associated with theuser and/or the client device utilized by the user to call the identitysystem. The secure storage may include information identifying the userand/or information identifying the passphrase.

As shown by reference number 155, the identity system provides a requestfor the passphrase to the client device. The identity system may obtainthe passphrase from the secure storage. The identity system may promptthe user to speak the passphrase based on obtaining the passphrase fromthe secure storage. For example, the identity system may provide a voiceoutput to the client device. The voice output may instruct the user tospeak the passphrase.

As shown by reference number 160, the identity system receives, from theclient device, another voice input of the user speaking the passphrase.The other voice input may correspond to the user speaking the passphrasebased on being prompted to speak the passphrase by the identity systemto generate another voice input signal. In some implementations, theidentity system performs a quality assessment on the other voice inputsignal in a manner similar to that described above.

As shown by reference number 165, the identity system verifies the othervoice input. The identity system may generate a signing key associatedwith the user based on the other voice input signal and/or based onperforming the quality assessment. The identity system may utilize aFuzzy extractor to generate another string R based on the other voiceinput signal, in a manner similar to that described above. The identitysystem may obtain the one or more encrypted biometric templates from thesecure storage and may utilize the signing key to decrypt the one ormore encrypted biometric templates.

The identity system may verify the other voice input based on the one ormore biometric templates. For example, the identity system may comparethe other voice input signal and the one or more biometric templates.The identity system may verify the other voice input based on thecomparison.

As shown in FIG. 1F, and by reference number 170, the identity systemprovides an encrypted operation request message to a server deviceassociated with an entity (e.g., a governmental entity). The identitysystem may generate an operation request message based on verifying theother voice input. The operation request message may include a requestfor a credential associated with the user. The credential may be atrusted identification credential issued by a trusted entity (e.g., agovernment credential issued by a government agency). The identitysystem may utilize the signing key to sign the operation request messageand to generate the encrypted operation request message. The identitysystem may transmit the encrypted operation request message to theserver device associated with the entity.

As shown by reference number 175, the identity system receives thecredential from the server device based on the encrypted credentialrequest message. The identity system may identify the secure storageassociated with the user based on receiving the credential. In someimplementations, the identity system identifies the secure storage basedon the digital identifier. In some implementations, the identity systemreceives the digital identifier from the server device based ontransmitting the encrypted operation request message. In someimplementations, the identity system generates the digital identifierbased on the other voice input signal in a manner similar to thatdescribed above. In some implementations, the identity system receivesthe digital identifier from the client device. For example, the digitalidentifier may be stored in a memory of the client device and the clientdevice may provide the digital identifier to the identity system basedon providing the other voice input to the identity system. As shown byreference number 180, the identity system stores the credential in thesecure storage associated with the user.

The identity system may determine an entity requiring the user'sidentity to be verified. In some implementations, the identity systemrequests information identifying the entity from the user (e.g., via anaudio message, a text message, and/or the like transmitted to the clientdevice). The user may provide an input (e.g., a voice input, a textinput, and/or the like) identifying the entity. The identity system mayidentify the entity based on the input. The identity system maydetermine a device (e.g., a server device, a client device, and/oranother type of device) associated with the entity (e.g., by accessing adata structure (e.g., a database, a list, a table, and/or the like)storing information mapping entities to addresses of devices associatedwith the entities). In some implementations, the identity systemprovides the credential to the device associated with the entity toenable the device to verify the identity of the user. Alternatively,and/or additionally, the identity system may provide the digitalidentifier to the device associated with the entity to enable the entityto retrieve the credential from the secure storage. In someimplementations, the identity system provides the credential and/or thedigital identifier based on the entity performing a physical identityverification on the user. The entity may obtain the credential from theidentity system and may verify the identity of the user based on thecredential.

In some implementations, the operation may be a secure transaction(e.g., a financial transaction). The identity system may transmit thecredential to a device associated with performing the securetransaction. The identity system may receive transaction informationassociated with the secured transaction being performed by the devicebased on transmitting the credential to the device. The identity systemmay store the transaction information in the secured storage associatedwith the user.

As indicated above, FIGS. 1A-1F are provided as an example. Otherexamples may differ from what is described with regard to FIGS. 1A-1F.The number and arrangement of devices shown in FIGS. 1A-1F are providedas an example. In practice, there may be additional devices, fewerdevices, different devices, or differently arranged devices than thoseshown in FIGS. 1A-1F. Furthermore, two or more devices shown in FIGS.1A-1F may be implemented within a single device, or a single deviceshown in FIGS. 1A-1F may be implemented as multiple, distributeddevices. Additionally, or alternatively, a set of devices (e.g., one ormore devices) shown in FIGS. 1A-1F may perform one or more functionsdescribed as being performed by another set of devices shown in FIGS.1A-1F.

FIG. 2 is a diagram of an example environment 200 in which systemsand/or methods described herein may be implemented. As shown in FIG. 2,environment 200 may include an identity system 201, which may includeone or more elements of and/or may execute within a cloud computingsystem 202. The cloud computing system 202 may include one or moreelements 203-213, as described in more detail below. As further shown inFIG. 2, environment 200 may include a network 220, a client device 230,and/or a server device 240. Devices and/or elements of environment 200may interconnect via wired connections and/or wireless connections.

The cloud computing system 202 includes computing hardware 203, aresource management component 204, a host operating system (OS) 205,and/or one or more virtual computing systems 206. The resourcemanagement component 204 may perform virtualization (e.g., abstraction)of computing hardware 203 to create the one or more virtual computingsystems 206. Using virtualization, the resource management component 204enables a single computing device (e.g., a computer, a server, and/orthe like) to operate like multiple computing devices, such as bycreating multiple isolated virtual computing systems 206 from computinghardware 203 of the single computing device. In this way, computinghardware 203 can operate more efficiently, with lower power consumption,higher reliability, higher availability, higher utilization, greaterflexibility, and lower cost than using separate computing devices.

Computing hardware 203 includes hardware and corresponding resourcesfrom one or more computing devices. For example, computing hardware 203may include hardware from a single computing device (e.g., a singleserver) or from multiple computing devices (e.g., multiple servers),such as multiple computing devices in one or more data centers. Asshown, computing hardware 203 may include one or more processors 207,one or more memories 208, one or more storage components 209, and/or oneor more networking components 210. Examples of a processor, a memory, astorage component, and a networking component (e.g., a communicationcomponent) are described elsewhere herein.

The resource management component 204 includes a virtualizationapplication (e.g., executing on hardware, such as computing hardware203) capable of virtualizing computing hardware 203 to start, stop,and/or manage one or more virtual computing systems 206. For example,the resource management component 204 may include a hypervisor (e.g., abare-metal or Type 1 hypervisor, a hosted or Type 2 hypervisor, and/orthe like) or a virtual machine monitor, such as when the virtualcomputing systems 206 are virtual machines 211. Additionally, oralternatively, the resource management component 204 may include acontainer manager, such as when the virtual computing systems 206 arecontainers 212. In some implementations, the resource managementcomponent 204 executes within and/or in coordination with a hostoperating system 205.

A virtual computing system 206 includes a virtual environment thatenables cloud-based execution of operations and/or processes describedherein using computing hardware 203. As shown, a virtual computingsystem 206 may include a virtual machine 211, a container 212, a hybridenvironment 213 that includes a virtual machine and a container, and/orthe like. A virtual computing system 206 may execute one or moreapplications using a file system that includes binary files, softwarelibraries, and/or other resources required to execute applications on aguest operating system (e.g., within the virtual computing system 206)or the host operating system 205.

Although the identity system 201 may include one or more elements203-213 of the cloud computing system 202, may execute within the cloudcomputing system 202, and/or may be hosted within the cloud computingsystem 202, in some implementations, the identity system 201 may not becloud-based (e.g., may be implemented outside of a cloud computingsystem) or may be partially cloud-based. For example, the identitysystem 201 may include one or more devices that are not part of thecloud computing system 202, such as device 300 of FIG. 3, which mayinclude a standalone server or another type of computing device. Theidentity system 201 may perform one or more operations and/or processesdescribed in more detail elsewhere herein.

Network 220 includes one or more wired and/or wireless networks. Forexample, network 220 may include a cellular network, a public landmobile network (PLMN), a local area network (LAN), a wide area network(WAN), a private network, the Internet, and/or the like, and/or acombination of these or other types of networks. The network 220 enablescommunication among the devices of environment 200.

The client device 230 includes one or more devices capable of receiving,generating, storing, processing, and/or providing information associatedwith utilizing voice biometrics to generate a secure digital identityfor a user, as described elsewhere herein. The client device 230 mayinclude a communication device and/or a computing device. For example,the client device 230 may include a wireless communication device, auser equipment (UE), a mobile phone (e.g., a smart phone or a cellphone, among other examples), a laptop computer, a tablet computer, ahandheld computer, a desktop computer, a gaming device, a wearablecommunication device (e.g., a smart wristwatch or a pair of smarteyeglasses, among other examples), an Internet of Things (IoT) device,or a similar type of device. The client device 230 may communicate withone or more other devices of environment 200, as described elsewhereherein.

The server device 240 includes one or more devices capable of receiving,generating, storing, processing, providing, and/or routing informationassociated with utilizing voice biometrics to generate a secure digitalidentity for a user, as described elsewhere herein. The server device240 may include a communication device and/or a computing device. Forexample, the server device 240 may include a server, an applicationserver, a client server, a web server, a database server, a host server,a proxy server, a virtual server (e.g., executing on computinghardware), a server in a cloud computing system, a device that includescomputing hardware used in a cloud computing environment, or a similartype of device. The server device 240 may communicate with one or moreother devices of environment 200, as described elsewhere herein.

The number and arrangement of devices and networks shown in FIG. 2 areprovided as an example. In practice, there may be additional devicesand/or networks, fewer devices and/or networks, different devices and/ornetworks, or differently arranged devices and/or networks than thoseshown in FIG. 2. Furthermore, two or more devices shown in FIG. 2 may beimplemented within a single device, or a single device shown in FIG. 2may be implemented as multiple, distributed devices. Additionally, oralternatively, a set of devices (e.g., one or more devices) ofenvironment 200 may perform one or more functions described as beingperformed by another set of devices of environment 200.

FIG. 3 is a diagram of example components of a device 300, which maycorrespond to identity system 201, client device 230, and/or serverdevice 240. In some implementations, identity system 201, client device230, and/or server device 240 may include one or more devices 300 and/orone or more components of device 300. As shown in FIG. 3, device 300 mayinclude a bus 310, a processor 320, a memory 330, a storage component340, an input component 350, an output component 360, and acommunication component 370.

Bus 310 includes a component that enables wired and/or wirelesscommunication among the components of device 300. Processor 320 includesa central processing unit, a graphics processing unit, a microprocessor,a controller, a microcontroller, a digital signal processor, afield-programmable gate array, an application-specific integratedcircuit, and/or another type of processing component. Processor 320 isimplemented in hardware, firmware, or a combination of hardware andsoftware. In some implementations, processor 320 includes one or moreprocessors capable of being programmed to perform a function. Memory 330includes a random access memory, a read only memory, and/or another typeof memory (e.g., a flash memory, a magnetic memory, and/or an opticalmemory).

Storage component 340 stores information and/or software related to theoperation of device 300. For example, storage component 340 may includea hard disk drive, a magnetic disk drive, an optical disk drive, a solidstate disk drive, a compact disc, a digital versatile disc, and/oranother type of non-transitory computer-readable medium. Input component350 enables device 300 to receive input, such as user input and/orsensed inputs. For example, input component 350 may include a touchscreen, a keyboard, a keypad, a mouse, a button, a microphone, a switch,a sensor, a global positioning system component, an accelerometer, agyroscope, an actuator, and/or the like. Output component 360 enablesdevice 300 to provide output, such as via a display, a speaker, and/orone or more light-emitting diodes. Communication component 370 enablesdevice 300 to communicate with other devices, such as via a wiredconnection and/or a wireless connection. For example, communicationcomponent 370 may include a receiver, a transmitter, a transceiver, amodem, a network interface card, an antenna, and/or the like.

Device 300 may perform one or more processes described herein. Forexample, a non-transitory computer-readable medium (e.g., memory 330and/or storage component 340) may store a set of instructions (e.g., oneor more instructions, code, software code, program code, and/or thelike) for execution by processor 320. Processor 320 may execute the setof instructions to perform one or more processes described herein. Insome implementations, execution of the set of instructions, by one ormore processors 320, causes the one or more processors 320 and/or thedevice 300 to perform one or more processes described herein. In someimplementations, hardwired circuitry may be used instead of or incombination with the instructions to perform one or more processesdescribed herein. Thus, implementations described herein are not limitedto any specific combination of hardware circuitry and software.

The number and arrangement of components shown in FIG. 3 are provided asan example. Device 300 may include additional components, fewercomponents, different components, or differently arranged componentsthan those shown in FIG. 3. Additionally, or alternatively, a set ofcomponents (e.g., one or more components) of device 300 may perform oneor more functions described as being performed by another set ofcomponents of device 300.

FIG. 4 is a flowchart of an example process 400 associated withutilizing voice biometrics to generate a secure digital identity for auser. In some implementations, one or more process blocks of FIG. 4 maybe performed by a system (e.g., identity system 201). In someimplementations, one or more process blocks of FIG. 4 may be performedby another device or a group of devices separate from or including thesystem, such as a client device (e.g., client device 230) and/or aserver device (e.g., server device 240). Additionally, or alternatively,one or more process blocks of FIG. 4 may be performed by one or morecomponents of device 300, such as processor 320, memory 330, storagecomponent 340, input component 350, output component 360, and/orcommunication component 370.

As shown in FIG. 4, process 400 may include generating information thatidentifies a passphrase to be used as a biometric input (block 410). Forexample, the system may generate information that identifies apassphrase to be used as a biometric input, as described above.

In some implementations, the system may receive, via interaction with auser, a request for a digital identifier. The system may generate theinformation that identifies the passphrase based on the request for thedigital identifier. The system may provide, via interaction with theuser, information instructing the user to speak the passphrase.

As further shown in FIG. 4, process 400 may include receiving a voiceinput of a user speaking the passphrase (block 420). For example, thesystem may receive a voice input of a user speaking the passphrase, asdescribed above.

As further shown in FIG. 4, process 400 may include generating one ormore cryptographic keys based on the voice input (block 430). Forexample, the system may generate one or more cryptographic keys based onthe voice input, as described above. The one or more cryptographic keysmay include a public key and a corresponding private key.

As further shown in FIG. 4, process 400 may include generating a digitalidentifier based on the one or more cryptographic keys (block 440). Forexample, the system may generate a digital identifier based on the oneor more cryptographic keys, as described above.

As further shown in FIG. 4, process 400 may include generating one ormore biometric templates for the user (block 450). For example, thesystem may generate one or more biometric templates for the user, asdescribed above.

As further shown in FIG. 4, process 400 may include encrypting the oneor more biometric templates using the one or more cryptographic keys andto generate one or more encrypted biometric templates (block 460). Forexample, the system may encrypt the one or more biometric templatesusing the one or more cryptographic keys and to generate one or moreencrypted biometric templates, as described above.

As further shown in FIG. 4, process 400 may include storing in a securestorage associated with the user, at least one of the digitalidentifier, a public key of the one or more cryptographic keys, a phonenumber associated with the user, or the one or more encrypted biometrictemplates (block 470). For example, the system may store in a securestorage associated with the user, at least one of the digitalidentifier, a public key of the one or more cryptographic keys, a phonenumber associated with the user, or the one or more encrypted biometrictemplates, as described above.

In some implementations, the system may receive, via interaction withthe user, a user request for a trusted identification credential for theuser. The system may identify the secure storage associated with theuser based on the phone number or another identifier associated with theuser. The system may obtain the passphrase from the secure storage andmay prompt the user to speak the passphrase. The system may receiveanother voice input of the user speaking the passphrase and may generatea signing key for the user based on the other voice input. The signingkey may be generated using a fuzzy extractor technique.

The system may obtain the one or more encrypted biometric templates fromthe secure storage and may decrypt the one or more encrypted biometrictemplates using the signing key. The system may generate a request forthe trusted identification credential based on successful decryption ofthe one or more encrypted biometric templates. The system may sign therequest using the signing key to generate a signed request and maytransmit the signed request to a device associated with a trustedagency. The system may receive the trusted identification credential andthe digital identifier (e.g., based on transmitting the signed requestto the device associated with the trusted agency). The system mayidentify the secure storage based on the digital identifier and maystore the trusted identification credential in the secure storage.

In some implementations, the system may receive, via interaction withthe user, a user request for a secure operation. The system may identifythe secure storage associated with the user based on the phone number oranother identifier associated with the user. The system may obtain thepassphrase from the secure storage and may prompt the user to speak thepassphrase. The system may receive another voice input of the userspeaking the passphrase and may generate a signing key for the userbased on the other voice input. The system may obtain the one or moreencrypted biometric templates from the secure storage and may decryptthe one or more encrypted biometric templates using the signing key. Thesystem may generate a request associated with the secure operation basedon successful decryption of the one or more encrypted biometrictemplates. The system may sign the request using the signing key togenerate a signed request and may transmit the signed request to adevice associated with performing the secure operation.

The system may receive, from the device, the digital identifier andinformation generated based on performing the secure operation. Thesystem may identify the secure storage based on the digital identifier.The system may store the information generated based on performing thesecure operation in the secure storage.

Although FIG. 4 shows example blocks of process 400, in someimplementations, process 400 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 4. Additionally, or alternatively, two or more of theblocks of process 400 may be performed in parallel.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the implementations to theprecise form disclosed. Modifications may be made in light of the abovedisclosure or may be acquired from practice of the implementations.

As used herein, the term “component” is intended to be broadly construedas hardware, firmware, or a combination of hardware and software. Itwill be apparent that systems and/or methods described herein may beimplemented in different forms of hardware, firmware, and/or acombination of hardware and software. The actual specialized controlhardware or software code used to implement these systems and/or methodsis not limiting of the implementations. Thus, the operation and behaviorof the systems and/or methods are described herein without reference tospecific software code—it being understood that software and hardwarecan be used to implement the systems and/or methods based on thedescription herein.

As used herein, satisfying a threshold may, depending on the context,refer to a value being greater than the threshold, greater than or equalto the threshold, less than the threshold, less than or equal to thethreshold, equal to the threshold, etc., depending on the context.

Although particular combinations of features are recited in the claimsand/or disclosed in the specification, these combinations are notintended to limit the disclosure of various implementations. In fact,many of these features may be combined in ways not specifically recitedin the claims and/or disclosed in the specification. Although eachdependent claim listed below may directly depend on only one claim, thedisclosure of various implementations includes each dependent claim incombination with every other claim in the claim set.

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Further, asused herein, the article “the” is intended to include one or more itemsreferenced in connection with the article “the” and may be usedinterchangeably with “the one or more.” Furthermore, as used herein, theterm “set” is intended to include one or more items (e.g., relateditems, unrelated items, a combination of related and unrelated items,etc.), and may be used interchangeably with “one or more.” Where onlyone item is intended, the phrase “only one” or similar language is used.Also, as used herein, the terms “has,” “have,” “having,” or the like areintended to be open-ended terms. Further, the phrase “based on” isintended to mean “based, at least in part, on” unless explicitly statedotherwise. Also, as used herein, the term “or” is intended to beinclusive when used in a series and may be used interchangeably with“and/or,” unless explicitly stated otherwise (e.g., if used incombination with “either” or “only one of”).

What is claimed is:
 1. A method, comprising: generating, by a system,information that identifies a passphrase to be used as a biometricinput; receiving, by the system, a voice input of a user speaking thepassphrase; generating, by the system, one or more cryptographic keysbased on the voice input; generating, by the system, a digitalidentifier based on the one or more cryptographic keys; generating, bythe system, one or more biometric templates for the user based on thevoice input, wherein a biometric template, of the one or more biometrictemplates, comprises a digital representation of one or more uniquefeatures of the voice input; encrypting, by the system, the one or morebiometric templates, using the one or more cryptographic keys togenerate one or more encrypted biometric templates; and storing, by thesystem, in a secure storage associated with the user, at least one ofthe digital identifier, a public key of the one or more cryptographickeys, a phone number associated with the user, or the one or moreencrypted biometric templates.
 2. The method of claim 1, furthercomprising: receiving, via an interaction with the user, a user requestfor a trusted identification credential for the user; identifying thesecure storage associated with the user based on the phone number oranother identifier associated with the user; obtaining the passphrasefrom the secure storage; prompting the user to speak the passphrase;receiving another voice input of the user speaking the passphrase;generating a signing key for the user based on the other voice input;obtaining the one or more encrypted biometric templates from the securestorage; decrypting the one or more encrypted biometric templates usingthe signing key; generating a request for the trusted identificationcredential based on successful decryption of the one or more encryptedbiometric templates; signing the request using the signing key togenerate a signed request; and transmitting the signed request to adevice associated with a trusted agency.
 3. The method of claim 2,further comprising: receiving the trusted identification credential andthe digital identifier; identifying the secure storage based on thedigital identifier; and storing the trusted identification credential inthe secure storage.
 4. The method of claim 2, wherein the signing key isgenerated using a fuzzy extractor technique.
 5. The method of claim 1,further comprising: receiving, via an interaction with the user, a userrequest for a secure operation; identifying the secure storageassociated with the user based on the phone number or another identifierassociated with the user; obtaining the passphrase from the securestorage; prompting the user to speak the passphrase; receiving anothervoice input of the user speaking the passphrase; generating a signingkey for the user based on the other voice input; obtaining the one ormore encrypted biometric templates from the secure storage; decryptingthe one or more encrypted biometric templates using the signing key;generating a request associated with the secure operation based onsuccessful decryption of the one or more encrypted biometric templates;signing the request using the signing key to generate a signed request;and transmitting the signed request to a device associated withperforming the secure operation.
 6. The method of claim 5, furthercomprising: receiving, from the device, the digital identifier andinformation generated based on performing the secure operation;identifying the secure storage based on the digital identifier; andstoring the information generated based on performing the secureoperation in the secure storage.
 7. The method of claim 5, wherein thesigning key is generated using a fuzzy extractor technique.
 8. A system,comprising: one or more memories; and one or more processors, coupled tothe one or more memories, configured to: generate information thatidentifies a passphrase to be used as a biometric input; receive a voiceinput of a user speaking the passphrase; generate one or morecryptographic keys based on the voice input and using a fuzzy extractortechnique, wherein the one or more cryptographic keys include a publickey and a corresponding private key; generate a digital identifier basedon the one or more cryptographic keys; generate one or more biometrictemplates for the user based on the voice input, wherein a biometrictemplate, of the one or more biometric templates, comprises a digitalrepresentation of one or more unique features of the voice input;encrypt the one or more biometric templates, using the one or morecryptographic keys, to generate one or more encrypted biometrictemplates; and store, in a secure storage associated with the user, atleast one of the digital identifier, a public key of the one or morecryptographic keys, a phone number associated with the user, or the oneor more encrypted biometric templates.
 9. The system of claim 8, whereinthe one or more processors are further configured to: receive, via afirst interaction with the user, a request for the digital identifier;generate the information that identifies the passphrase based on therequest for the digital identifier; and provide, via a secondinteraction with the user, information instructing the user to speak thepassphrase.
 10. The system of claim 8, wherein the one or moreprocessors are further configured to: receive, via an interaction withthe user, a user request for a credential for the user; identify thesecure storage associated with the user based on the phone number oranother identifier associated with the user; obtain the passphrase fromthe secure storage; prompt the user to speak the passphrase; receiveanother voice input of the user speaking the passphrase; generate asigning key for the user based on the other voice input; obtain the oneor more encrypted biometric templates from the secure storage; decryptthe one or more encrypted biometric templates using the signing key;generate a request for the credential based on successful decryption ofthe one or more encrypted biometric templates; sign the request usingthe signing key to generate a signed request; and transmit the signedrequest to a device associated with an entity providing the credential.11. The system of claim 10, wherein the one or more processors arefurther configured to: receive, from the device, the credential and thedigital identifier; identify the secure storage based on the digitalidentifier; and store the credential in the secure storage.
 12. Thesystem of claim 10, wherein the signing key is generated using a fuzzyextractor technique.
 13. The system of claim 8, wherein the one or moreprocessors are further configured to: receive, via an interaction withthe user, a user request for a secure transaction; identify the securestorage associated with the user based on the phone number or anotheridentifier associated with the user; obtain the passphrase from thesecure storage; prompt the user to speak the passphrase; receive anothervoice input of the user speaking the passphrase; generate a signing keyfor the user based on the other voice input; obtain the one or moreencrypted biometric templates from the secure storage; decrypt the oneor more encrypted biometric templates using the signing key; generate arequest associated with the secure transaction based on successfuldecryption of the one or more encrypted biometric templates; sign therequest using the signing key to generate a signed request; and transmitthe signed request to a device associated with performing the securetransaction.
 14. The system of claim 13, wherein the one or moreprocessors are further configured to: receive, from the device, thedigital identifier and transaction information generated based onperforming the secure transaction; identify the secure storage based onthe digital identifier; and store the transaction information in thesecure storage.
 15. A non-transitory computer-readable medium storing aset of instructions, the set of instructions comprising: one or moreinstructions that, when executed by one or more processors of a system,cause the system to: receive, via a first interaction with a user, arequest for a digital identifier for the user; generate, based on therequest, information that identifies a passphrase to be used as abiometric input; provide, via a second interaction with the user,information instructing the user to speak the passphrase; receive avoice input of the user speaking the passphrase; generate one or morecryptographic keys based on the voice input; generate a digitalidentifier based on the one or more cryptographic keys; generate one ormore biometric templates for the user based on the voice input, whereina biometric template, of the one or more biometric templates, comprisesa digital representation of one or more unique features of the voiceinput; encrypt the one or more biometric templates, using the one ormore cryptographic keys, to generate one or more encrypted biometrictemplates; and store, in a secure storage associated with the user, atleast one of the digital identifier, a public key of the one or morecryptographic keys, a phone number associated with the user, or the oneor more encrypted biometric templates.
 16. The non-transitorycomputer-readable medium of claim 15, wherein the one or morecryptographic keys are generated using a fuzzy extractor technique. 17.The non-transitory computer-readable medium of claim 15, wherein the oneor more cryptographic keys include the public key and a correspondingprivate key.
 18. The non-transitory computer-readable medium of claim15, wherein the one or more instructions further cause the system to:receive, via a third interaction with the user, a user request for anidentification credential for the user; identify the secure storageassociated with the user based on the phone number or another identifierassociated with the user; obtain the passphrase from the secure storage;prompt the user to speak the passphrase; receive another voice input ofthe user speaking the passphrase; generate a signing key for the userbased on the other voice input; obtain the one or more encryptedbiometric templates from the secure storage; decrypt the one or moreencrypted biometric templates using the signing key; generate a requestfor the identification credential based on successful decryption of theone or more encrypted biometric templates; sign the request using thesigning key to generate a signed request; transmit the signed request toa device associated with the identification credential; receive, fromthe device, the identification credential and the digital identifier;identify the secure storage based on the digital identifier; and storethe identification credential in the secure storage.
 19. Thenon-transitory computer-readable medium of claim 15, wherein the one ormore instructions further cause the system to: receive, via a thirdinteraction with the user, a user request for a secure transaction;identify the secure storage associated with the user based on the phonenumber or another identifier associated with the user; obtain thepassphrase from the secure storage; prompt the user to speak thepassphrase; receive another voice input of the user speaking thepassphrase; generate a signing key for the user based on the other voiceinput; obtain the one or more encrypted biometric templates from thesecure storage; decrypt the one or more encrypted biometric templatesusing the signing key; generate a request associated with the securetransaction based on successful decryption of the one or more encryptedbiometric templates; sign the request using the signing key to generatea signed request; transmit the signed request to a device associatedwith performing the secure transaction; receive, from the device, thedigital identifier and transaction information generated based onperforming the secure transaction; identify the secure storage based onthe digital identifier; and store the transaction information in thesecure storage.
 20. The non-transitory computer-readable medium of claim19, wherein the signing key is generated using a fuzzy extractortechnique.